Retired Account
Post Whore
Posts:
3512
Joined:
Mon Nov 16, 2009 8:10 pm

Re: port-security confusion

Tue Nov 30, 2010 4:52 pm

Interesting idea.... but I don't like the idea of people being able to access the management plane either if I've implemented Port Security.

User avatar
matgar
Ultimate Member
Posts:
756
Joined:
Wed Nov 17, 2010 5:53 pm
Certs:
CCNP, CCIP, CCNA Security

Re: port-security confusion

Tue Nov 30, 2010 5:58 pm

Now this is taking from cisco and its for the command switchport protected.(I know its not the same) Its a similar behavior.
A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only control traffic, such as PIM packets, is forwarded because these packets are processed by the CPU and forwarded in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.


Steven King wrote:Interesting idea.... but I don't like the idea of people being able to access the management plane either if I've implemented Port Security.

I agree, makes you think a bit more about securing your control pane. But you should already have ACL's in place for the vty's.
But with that said I don't use vlan 1 and I use dedicated VLANs for management. So It shouldn't become an issue unless I inherit an existing network. (which does happen)

User avatar
scottsee
Post Whore
Posts:
1804
Joined:
Wed Feb 10, 2010 2:45 am
Certs:
NA:R&S, NA:Sec

Re: port-security confusion

Tue Nov 30, 2010 6:53 pm

Wouldn't using any Vlan as your management interface cause the same issue? Not just Vlan1? Are you saying the only real way to protect the management interface of a switch is to apply an ACL on the interfaces? I'm not following. This "plane" talk is over my skill set.. I'm only on the ICND1

User avatar
ristau5741
Post Whore
Posts:
10547
Joined:
Tue Aug 21, 2007 2:15 pm
Certs:
Instanity

Re: port-security confusion

Tue Nov 30, 2010 9:04 pm

scottsee wrote:Wouldn't using any Vlan as your management interface cause the same issue? Not just Vlan1? Are you saying the only real way to protect the management interface of a switch is to apply an ACL on the interfaces? I'm not following. This "plane" talk is over my skill set.. I'm only on the ICND1


not to confuse things, it's never so easy, as you advance you'll understand, alot of the way things really work is very simplified for the beginner.

as a side note: The router/switch is typically segmented into three planes, each with a clearly identified objective. The dataplane allows the ability to forward packets; the control plane allows the ability to route data correctly; and the management plane allows the ability to manage network elements.

User avatar
scottsee
Post Whore
Posts:
1804
Joined:
Wed Feb 10, 2010 2:45 am
Certs:
NA:R&S, NA:Sec

Re: port-security confusion

Wed Dec 01, 2010 2:43 pm

So... what? How does someone prevent a directly connected device from reaching a switches management interface? Change the default vlan1 management interface to a different vlan like 99? I'm strait up lost in what you guys are talking about..

User avatar
swagger
Post Whore
Posts:
1395
Joined:
Mon Nov 23, 2009 7:55 pm
Certs:
CCNP, CCNA Sec

Re: port-security confusion

Wed Dec 01, 2010 2:49 pm

Yes, from what I've been reading in my CCNP studies, best practices would be to have a separate VLAN for data, voice, management, and native.

CruxV
Member
Posts:
128
Joined:
Fri Oct 22, 2010 10:12 am
Certs:
VCP5, VCP5-DT, CCNA: Security, CCNA

Re: port-security confusion

Wed Dec 01, 2010 2:54 pm

I think it's an inherent problem with the port security command itself.

From what I know, once enabled (and in protect or restrict mode NOT shutdown) it acts like a poorly written ACL - kinda like access-group 101 out attached to the VLAN interface itself. It will drop all traffic destined for any other IP address outside of the port it's connected to. But because the port is a part of the VLAN AND the VLAN has a management IP, it will be able to talk only to the VLAN's management IP.

I've heard from places that not even Cisco recommends using protect or restrict.

User avatar
Vito_Corleone
Moderator
Posts:
9850
Joined:
Mon Apr 07, 2008 10:38 am
Certs:
CCNP RS, CCNP DC, CCDP, CCIP

Re: port-security confusion

Wed Dec 01, 2010 2:56 pm

huh?
http://blog.alwaysthenetwork.com

CruxV
Member
Posts:
128
Joined:
Fri Oct 22, 2010 10:12 am
Certs:
VCP5, VCP5-DT, CCNA: Security, CCNA

Re: port-security confusion

Wed Dec 01, 2010 2:57 pm

Vito_Corleone wrote:huh?


sorry vito... I read through the first could of pages when you guys were specifically talking about the port-security command. I was only responding to the first couple of pages of the discussion.

User avatar
Vito_Corleone
Moderator
Posts:
9850
Joined:
Mon Apr 07, 2008 10:38 am
Certs:
CCNP RS, CCNP DC, CCDP, CCIP

Re: port-security confusion

Wed Dec 01, 2010 2:59 pm

CruxV wrote:
Vito_Corleone wrote:huh?


sorry vito... I read through the first could of pages when you guys were specifically talking about the port-security command. I was only responding to the first couple of pages of the discussion.


I get what you were talking about. The "huh?" still stands.

I'm not sure what you're saying.
http://blog.alwaysthenetwork.com

User avatar
mellowd
CCIE #38070
Posts:
13814
Joined:
Wed Jun 18, 2008 7:49 am
Certs:
CCIE (RS,SP), JNCIE-SP, BC-/SPNE/NP

Re: port-security confusion

Wed Dec 01, 2010 3:02 pm

huh from me too

port security has nothing to do with IP addresses

User avatar
Vito_Corleone
Moderator
Posts:
9850
Joined:
Mon Apr 07, 2008 10:38 am
Certs:
CCNP RS, CCNP DC, CCDP, CCIP

Re: port-security confusion

Wed Dec 01, 2010 3:03 pm

Check this out:

http://www.cisco.com/en/US/docs/switche ... t_sec.html

Pay close attention to how they define the different violation modes.

You're talking about IPs and management SVIs. That's my "huh". Basically, all port security does it drop frames from MACs that aren't authorized on the port. When it's configured to shutdown, it doesn't just drop, it puts the port into err-disable.
http://blog.alwaysthenetwork.com

CruxV
Member
Posts:
128
Joined:
Fri Oct 22, 2010 10:12 am
Certs:
VCP5, VCP5-DT, CCNA: Security, CCNA

Re: port-security confusion

Wed Dec 01, 2010 3:27 pm

I don't disagree with what's written. I'm studying for my CCNA Security right now in fact so I understand what protect and restrict are supposed to do.

I was only trying to logically explain what could be happening behind the scene's within the IOS pertaining to what scottsee is explaining.

From Cisco :

When configuring port security, note the following syntax information about port security violation modes:

•protect—Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.

•restrict—Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment.

•shutdown—Puts the interface into the error-disabled state immediately and sends an SNMP trap notification.


so in essence, the frame with an invalid source MAC should be dropped once it hits the port no questions asked, but scottsee is saying that protect and restrict are only working if he tries a destination other than the management IP of the VLAN associated to the port...

scottsee wrote:Yep. I turned on another switch and trunked a link between the two. Communication to the VLAN management interface is successful even though port-security is configured on the switch, but it will not process frames designated to any other ip address. ICMP ping and Telnet session requests from my desktop to the 2nd switched failed every time while the port-security counters increase as expect. Essentially doing the job that it should. When I turned off port-security on the offending f/01 port layer 3 communication goes back to normal and I'm able to reach my second switch.

Interesting..


so what I trying to do was create an analogy based on his findings:

Code: Select all
interface FastEthernet0/1
 switchport mode access
!
!
interface vlan 1
 ip address 192.168.1.1 255.255.255.0
 ip access-group 101 out
!
!
access-list 101 deny ip any any


...which should produce the same results as what he's explaining.

I could be wrong, I'm not contesting that. But it just made sense to me :o

User avatar
Vito_Corleone
Moderator
Posts:
9850
Joined:
Mon Apr 07, 2008 10:38 am
Certs:
CCNP RS, CCNP DC, CCDP, CCIP

Re: port-security confusion

Wed Dec 01, 2010 3:33 pm

What scott is seeing is wrong.

And I think I'm still confused about your analogy. A deny all ACL applied to an SVI (on and L3 switch - important distinction) in the outbound will block all traffic OUT to hosts in the respective VLAN. I'm not sure how you're making the connection between that and this.
http://blog.alwaysthenetwork.com

User avatar
matgar
Ultimate Member
Posts:
756
Joined:
Wed Nov 17, 2010 5:53 pm
Certs:
CCNP, CCIP, CCNA Security

Re: port-security confusion

Wed Dec 01, 2010 11:49 pm

scottsee wrote:Wouldn't using any VLAN as your management interface cause the same issue? Not just Vlan1? Are you saying the only real way to protect the management interface of a switch is to apply an ACL on the interfaces? I'm not following. This "plane" talk is over my skill set.. I'm only on the ICND1

What you want to do is put management interface in a VLAN other than the one that is used by regular users.
So for example put regular user traffic on VLAN 10 and management SVI on VLAN 999. Going further if its a L2 switch it doesn't need a SVI for VLAN 10 so there is no way regular users can interact with the switch. If its a L3 switch that your using as a default gateway for VLAN 10 you can then put a ACL incoming on SVI VLAN 10 to block access to VLAN 999 subnet.
Then in a production environment you would also put ACL's on the VTY lines and on snmp polls. If supported you can also enable ssh and disable telnet. Same with https and http if your using it.
This related to the management plane. cisco link

Then there is the control plane. Here you can create ACL's and service policy to rate limit traffic and/or block certain ports for the host (router) forwarding etc.
cisco link2

Also the point about not using VLAN 1 is that the only place you want there to be untagged L2 traffic is on the access ports. Its best practice to disable it and use other VLAN's.
The interface command for native VLAN comes into play if you have a trunk, and want to put any untagged traffic into a VLAN. For example have a trunk towards an IP phone which is then connected to a PC. Traffic from the IP phone should come tagged, but traffic from the PC will probably come in untagged. So the native vlan command will put the PC traffic in the correct PC VLAN.

@Scott: I guess we kinda got a little sidetracked from your OP, but since we(I) you got confused I thought I'd try to clear it up for you.

Retired Account
Post Whore
Posts:
3512
Joined:
Mon Nov 16, 2009 8:10 pm

Re: port-security confusion

Thu Dec 02, 2010 7:04 pm

Ok, so I tested this on my 2950T.. not so sure I really need to test this on my other switches.

Here's my lab at home:
Image

Now, when I did as Scott did, I got the very same thing.

I secured the port that 10.1.1.200 was on with a MAC address of 2222.2222.2222. Then:
1. Ping from 10.1.1.200 to 10.1.1.103; succeeded; saw psecure violations
2. Ping from 10.1.1.200 to 10.1.1.101; unsuccessful; saw psecure violations
3. Telnet from 10.1.1.200 to 10.1.1.103; successful; saw psecure violations
4. Once inside that terminal session, I could successfully telnet into 10.1.1.101 (Core Switch) even though I was still seeing psecure violations! I kind of suspected this though since I'm originating the new telnet session technically from 10.1.1.103.

That's pretty scary. Guess that's why you should use an ACL.

I also learned a bug. If you're configuring port security, you may get an error when entering a MAC address (In my case, 1111.2222.3333), saying that an internal error occured. Turns out if you use 2222.2222.2222 or something more like a real MAC address it's fine. Just a bug with using 1111.2222.3333
Last edited by Retired Account on Thu Dec 02, 2010 7:10 pm, edited 1 time in total.

User avatar
Vito_Corleone
Moderator
Posts:
9850
Joined:
Mon Apr 07, 2008 10:38 am
Certs:
CCNP RS, CCNP DC, CCDP, CCIP

Re: port-security confusion

Thu Dec 02, 2010 7:05 pm

and?
http://blog.alwaysthenetwork.com

Retired Account
Post Whore
Posts:
3512
Joined:
Mon Nov 16, 2009 8:10 pm

Re: port-security confusion

Thu Dec 02, 2010 7:11 pm

Sorry was testing the picture out, I added the rest afterward :P

User avatar
Vito_Corleone
Moderator
Posts:
9850
Joined:
Mon Apr 07, 2008 10:38 am
Certs:
CCNP RS, CCNP DC, CCDP, CCIP

Re: port-security confusion

Thu Dec 02, 2010 7:14 pm

hmm
http://blog.alwaysthenetwork.com

Retired Account
Post Whore
Posts:
3512
Joined:
Mon Nov 16, 2009 8:10 pm

Re: port-security confusion

Thu Dec 02, 2010 7:45 pm

I'm trying to test out using another VLAN as the native rather than VLAN 1... but I'm running into some trouble with my limited experience... I'll let you know what I find out once I can get this set up correctly.

'
PreviousNext

Return to scottsee's CCNA Journey

Who is online

Users browsing this forum: No registered users and 2 guests